If both boot at the same time, primary becomes active and standby remains as such

Failover occurs on a unit basis

With Active/Standby and preemption enabled, it will make sure that the correct primary is running after both ASAs boot

With Active/Active, failover can occur on a failover group basis

Link types -

Normal Interfaces

Can be configured with active and standby IPs and MAC addresses

When failover occurs, secondary unit can take the IP addresses and takes over the standby IP addresses and MAC address. This makes it so traffic continues to be forwarded and ARP entries don't need to change

ASA does not send gratuitous APRs for state NAT addresses when MAC addresses change

Failover Link -

Can configure a physical link or port channel for this but it cannot currently have a nameif on it

Can't be a shared interface

Need to be layer 2 adjacent

When a failover occurs, the IP address and MAC doesn't change on this interface

Communicates the following with the peer:

State - whether it's active or standby

Hello messages/keepalives

Network link status

MAC addresses

Configuration replication and syncing

Stateful Link

This is an optional link and you must configure it

This can be shared with the failover link to conserve interfaces

Can use a physical interface or port channel as well like the Failover link but if it uses a port channel, it will only use one link in the bundle to prevent the packets from arriving out of order

Should be layer 2 adjacent as well

When a failover occurs, the IP address and MAC doesn't change on this interface UNLESS it's configured on a data port

HA with Transparent Firewall Mode -

Spanning tree is a consideration here since it will go into blocking mode while it reconverges. You can avoid this by having access ports to the transparent firewall potentially but you have to make sure you don't have loops

Health -

The ASA relies on hello messages to determine the health of the other ASA

If there aren't 3 consecutive hello messages received, the ASA sends a special message on all the interfaces to see if the peer is responding

If no response on the failover link, it won't failover.

If there's a response on one of the data interfaces but not the failover, it won't failover but it will mark the failover link as failed.

If there is no response on any interface, then it will fail over and assume the other unit is failed

Can monitor up to 250 interfaces as part of health check on the ASA. Recommended to only monitor the important ones.

With Firepower, it monitors the backplane and if the module fails, that'll trigger a failover

Interfaces with both IPv4 and IPv6 addresses will use the IPv4 address for monitoring

Interface tests performed by the ASA:

Link Up/Link Down

Network Activity from generated traffic

ARP test to see if the interface counts ARP requests

Broadcast ping test

Replication -

Standby keeps the configuration in running memory. To save it on both, use the write memory all command

Some files are not replicated including the following:

Anyconnect images & profiles

CSD images

Local CAs

ASA images

ASDM images

Commands not replicated to the standby:

Copy commands except copy running-config startup-config

Write commands except write memory

Debug commands

Failover lan unit commands

Firewall

Show

Terminal pager and pager

Active/Standby Configuration

On the ASA you want to be primary, issue the followingfailover lan unit primary

Optionally, you can specify an interface to use as the state link:failover linkstate-name interface

If the state link is a separate interface, you'll want to configure the active and standby IP addresses for it:failover interface ip state-name ip-address mask standbyip-address

Enable the state link interface:interface interfaceno shutdown

Optionally, if you want to encrypt the traffic between the failover and state links, you can do it the same way you did before with Active/Standby using the same commands:failover ipsec pre-shared-keykey

If you chose to, you can use a failover key instead of IPSec using the following command:failover keykeyThis is considered a legacy command

Create failover group 1:failover group 1primarypreempt delay

Create failover group 2:failover group 2secondarypreempt delay

Add a context to the failover group:context namejoin-failover-group {1|2}

Enable failover:failover

To configure the secondary the same way except you wouldn't use the failover lan unit primary command since secondary if the default. The failover group and join-failover-group commands will be replicated from the primary unit. You may want to force the failover of failover group 2 though so it'll be active on the secondary unit: failover active group 2

Optionally, you can also configure asymmetric routing support on Active/Active to restore the asymmetrically routed packets to the right interface. To do so, you would need to do assign like interfaces to the same ASR group on the ASAs. You also want to make sure you have stateful failover and http replication enabled before starting the configuration. You would make sure that the following configuration is done within all the active contexts on the primary and standby ASAs. One caveat to remember is that you cannot configure both ASR groups and traffic zones in a context. To configure the ASR groups, do the following:

On the primary and secondary, specify the interface you want to allow asymmetrically routed packets and set the ASR group for the interfaceinterface interfaceasr-group num

Other nerd knobs:

Changing the unit poll and host times. Note: Can't enter a hold time value that is less than 3 times the unit poll time. Change the times with the following command:failover polltime [unit] [msec] poll-time [holdtime [msec] time]

Change the session replication rate. Default is the maximum rate set by the model of ASA. Change it with the following command in Active/Standby. In Active/Active, it can't be set by failover group:failover replication rate conns

Configure thresholds for failover when interfaces fail. The default is that when one interface fails, it cases a failover:failover interface-policynum [%] (Active/Standby)interface-policy num[%] (Active/Active)